Yeah, that was my thought too. (This is an offline scheme, isn't it?)
If I understood your approach correctly, you depend on
application-layer analysis to find "your" traffic. In that case,
doing it in a single pass would likely miss packets because you
might only be able to take the decision some way into the stream.
At the same time it also sounds like you're always cutting out
complete flows rather than just individual packets. So, a two-pass,
flow-based approach sounds indeed reasonable.
Does this make any sense?
Robin